I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.
Why isn’t password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?
Would like to hear your thoughts about this.
It’s 2023, we are almost already at Passkeys and you skipped TOTP (basically that “Google Authenticator” does) as 2FA?
anyway there are a lot of open source TOTP apps available to choose from like Aegis or if you want to sync it something like Bitwarden (Premium or Vaultwarden)
desktop apps also exist but that would defeat the point probablystay away from proprietary apps and do backups of these TOTP secrets or you’ll absolute will lock you out if you loose your phone somehow
I have some TOTPs for other accounts but used googles authenticator app for that as it wasn’t important to me.
Thank you very much for the Aegis recommendation, the transfer was easy and quick as well.
And yeah using a desktop app would remove the “What I have” factor :)
Use an open source 2FA which lets you export
You can store your recovery codes as files in KeepassXC
Sounds like a good approach
It is annoying, especially for those of us who are diligent about our existing factors and unlikely to be compromised, but the sad reality is that most people aren’t that diligent and supply chain attacks are a serious problem that needs addressing.
For your own projects, it might be worth considering a move away from GitHub. (I’ve been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.
For participating on existing projects, I suppose the silver lining is that they chose standard TOTP, instead of some awful proprietary system. I can use whatever open-source code generator I like.
supply chain attacks are a serious problem that needs addressing.
Last I checked: I am not a supplier. So I will not invest effort to secure some supply chain for people that I do not have any obligations to: The license clearly states “no warranty” for a reason. I do those projects for fun, not to bother me with security stuff, notifications about security problems some automatic thing “found” that do not really effect my code and bogus merge requests to upgrade dependencies for no reason… this are all cool things if you are a supplier, do not get me wrong, but I am not. No, I will not invest hours of my free time to sign binaries nobody uses either or to fill out security surveys for badges I can display on github.
If you want me to act like a supplier: Pay me like all the other suppliers you have. I doubt there is any interest to do so for the projects I have on my private github :-)
For your own projects, it might be worth considering a move away from GitHub. (I’ve been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.
That also has associated costs: Your project gets instantly much less visible, so you need to keep a mirror on github for visibility. Unfortunately that also means that you will also get interactions on github, so you will need to log in occasionally to not make people think the project is dead.
Yep; we’re on the same page. (I used that phrase only for the sake of succinct expression.)
I’ve already moved most of my projects off github to my own vhost, only some current active websites I have hosted there.
More secure. If my phone is stolen, they have full acces to my mailbox but they will look long and hard at my passworded 2FA app.
I know it can happen, but it sounds very unlikely. That someone who stole your phone has any interest in your github or other accounts. Worth is mostly the device, no?
If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don’t know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.
You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.
Huh, okay yeah you made your point and I see it now. Thanks :)
I received email for GitHub about it and honestly i kinda support it but they can do it better
On the one hand, security is good in the general case, and github has a right to set whatever (legal) conditions they want for the use of their services.
On the gripping hand, for the kind of stuff I’ve put on github in the past? Not worth even a tiny bit of additional friction, especially when I hate git to begin with. I’ve been procrastinating for a while now about moving or deleting existing repositories. Should get on it, I guess.
(There are also certain details of how they’ve executed their security upgrade, which locked some maintainers out of their projects at one point, that I don’t like, and which has reduced my already low trust in them.)
Most of my private and personal projects I host on my own server anyway but recently I began to contribute to public projects, and even if its just translations, and I would love to continue doing it. So I’ll use an Authenticator then for my github account.
I’m not particularly angry or stumped about this, but I agree that it should be the user’s choice. I value freedom, especially regarding software, and I’d much rather have an OS that lets me delete the root folder than one that does not let me delete system32, even if I never intend on doing any of those things. In much the same way, I think I should get to decide how much I am willing to protect a particular account. What github should do is point to the option of using 2FA and recommend it, with a brief explanation, not requiring it as policy.
2FA is more secure, and IMHO there’s no need to be upset.